Comments

From: Dave Jones <davej@redhat.com>
Date: Wed, 1 Sep 2010 16:05:55 -0400
> On Wed, Sep 01, 2010 at 01:03:33PM -0700, David Miller wrote:> > You'll have to use exactly the same formula for computing the length> > as the pci_map_single() call uses, which is:> > > > pktlen = skb_shinfo(skb)->nr_frags == 0 ?> > max_t(unsigned int, skb->len, ETH_ZLEN) :> > skb_headlen(skb);> > > > Otherwise packets smaller than ETH_ZLEN will be unmapped properly> > and trigger the same kind of debugging checks Dave is seeing.> > Looks like you're right.> > [ 5674.506024] via-velocity 0000:00:0e.0: DMA-API: device driver frees DMA memory with different size [device address=0x0000000018e555fa] [map size=54 bytes] [unmap size=108 bytes]
Looking more closely at this driver, it is ALL KINDS OF MESSED UP and
is full of mega-lulz wrt. TX dma mapping handling.
It computes a length as an integer, with an override that comes from
the TX descriptor. Then it unconditionally little-endian converts
the thing.
First, it uses pci_unmap_single() instead of pci_unmap_page() for the
fragments.
Second, for a fragmented SKB it fetches the length from the descriptor
which as we saw can be modified by the chip.
Third, it makes NULL pointer checks that make absolutely no sense.
It checks "td_info->skb_dma" which is an array, that will never be
NULL. It also checks &(vptr->tx.infos[q][n]) against NULL which
will not be NULL even if vptr->tx.infos is which is maybe what it
meant to check.
Let's try to unravel all of this mess.
Dave can you test out this patch?
Ugh, while writing this I spotted another bug. It can't do this
ETH_ZLEN thing, it has to use skb_padto(). Otherwise it's just
transmitting arbitrary kernel memory at the end of the SKB
buffer onto the network which is a big no-no. I'll fix that
with another patch.
via-velocity: Fix TX buffer unmapping.
Fix several bugs in TX buffer DMA unmapping:
1) Use pci_unmap_page() as appropriate.
2) Don't try to fetch the length from the DMA descriptor,
the chip and modify that value. Use the correct lengths,
calculated the same way as is done at map time.
3) Kill meaningless NULL checks (against embedded sized
arrays which can never be NULL, and against the address
of the non-zero indexed entry of an array).
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

From: David Miller <davem@davemloft.net>
Date: Wed, 01 Sep 2010 13:34:14 -0700 (PDT)
> Ugh, while writing this I spotted another bug. It can't do this> ETH_ZLEN thing, it has to use skb_padto(). Otherwise it's just> transmitting arbitrary kernel memory at the end of the SKB> buffer onto the network which is a big no-no. I'll fix that> with another patch.
Actually, these ETH_ZLEN things in the length calculation can
just be deleted. It does in fact use skb_padto() properly earlier
in the xmit function.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html